CVE-2015-3660 — Cross-site Scripting in Apple Safari

CWE-79 — Cross-site Scripting CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

4.3MEDIUMNVD

GHSA5.0

EPSS

0.3%

top 44.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nokogiri Apple Safari Apple Safari 8.0.7 Safari 7.1.7 AND Safari

Timeline

PublishedJul 3

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in the PDF functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL in embedded PDF content.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDapple/safari6.2.6+21

▶Appleapple/safari_8.0.7_safari_7.1.7_and_safari6.2.7

▶RubyGemsnokogiri/nokogiri1.6.0 — 1.6.7.1

🔴Vulnerability Details

GHSA

GHSA-3874-c4vv-qxvf: Cross-site scripting (XSS) vulnerability in the PDF functionality in WebKit in Apple Safari before 6↗2022-05-17

▶

GHSA

Nokogiri subject to DoS via libxml2 vulnerability↗2018-08-21

▶

OSV

CVE-2015-3660: Cross-site scripting (XSS) vulnerability in the PDF functionality in WebKit in Apple Safari before 6↗2015-07-03

▶

📋Vendor Advisories

Red Hat

libxml2: CPU exhaustion when processing specially crafted XML input↗2015-12-01

▶

Apple

CVE-2015-3660: Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7↗

▶